Security trends for 2016

Here are my predictions for trends in information security and cyber security for year 2016.

Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.

Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.

 

cadenas

EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.

After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.

New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.

The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.

Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network.  Traditional sandboxing will no longer protect against the growing malware landscape.  Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.

Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.

But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminalsJuniper’s VPN security hole is proof that govt backdoors are bonkers.  Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.

Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st,  2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.

The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock.  Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.

The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.

cadenas

Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.

Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.

Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”

Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?

cadenas

Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.

Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacksI Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.

IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.

Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.

Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.

2,232 Comments

  1. Tomi Engdahl says:

    FBI, DHS release report on Russia hacking
    http://thehill.com/policy/national-security/312132-fbi-dhs-release-report-on-russia-hacking

    The FBI and the Department of Homeland Security (DHS) on Thursday released a joint report detailing how federal investigators linked the Russian government to hacks of Democratic Party organizations.

    The document makes clear reference to the hacks of the Democratic National Committee (DNC) and Hillary Clinton campaign chairman John Podesta, though it does not mention either by name.

    The 13-page report provides technical details regarding tools and infrastructure used by Russian civilian and military intelligence services to “compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”

    In the October statement, officials described the the hacks and subsequent publication of stolen emails on WikiLeaks as an attempt to “interfere” with the U.S. election that is “consistent with the Russian-directed efforts,” but provided no evidence to support their assessment.

    President-elect Donald Trump has denied that Russia was involved in the hacks, and Obama has been under pressure to provide proof.

    Private security firms provided more detailed forensic analysis, which the FBI and DHS said Thursday correlated with the IC’s findings.

    The report identifies two Russian intelligence groups already named by CrowdStrike and other private security firms.

    The FSB is thought to be behind the hacking group known as APT29.

    The GRU, Russia’s military intelligence service, is thought to be behind the second group that infiltrated the DNC, known as APT28. APT28 is also believed to have breached Podesta’s emails.

    Despite their overlapping targets, the two agencies have different missions in the cyber realm.

    Both organizations gained access to the DNC through targeted spearphishing campaigns

    Reply
  2. Tomi Engdahl says:

    Obama’s Russian Hacking Retaliation Is Biggest “Since the Cold War”
    https://www.wired.com/2016/12/obama-russia-hacking-sanctions-diplomats/

    Since US intelligence agencies in October identified the Russian government as the source of hacker attacks that breached the Democratic party organizations and leaked private email conversations, President’s Obama’s White House has been searching for an appropriate response. Now, the administration has finally shot back, deporting Russian officials and calling out the individuals and organizations responsible for that hacking, in a set of measures never before seen in America’s digital diplomacy.

    The White House on Thursday announced a severe series of measures aimed at punishing Russia’s state-sponsored political hackers and deterring further meddling in US elections. One element of the response, laid out in an executive order, includes sanctions against a handful of Russian organizations and individuals targeted by name. The US will expel 35 Russian diplomats believed to have acted as intelligence agents, and ban Russian personnel from two Russian-government compounds that the White House says were used for Russian intelligence gathering from American soil.

    Reply
  3. Tomi Engdahl says:

    Airline passenger details easy prey for hackers, say researchers
    https://www.theguardian.com/technology/2016/dec/28/airline-passenger-details-online-bookings-easy-prey-hackers-say-researchers

    Worldwide system used to coordinate travel bookings between airlines is insecure and easy to exploit, experts reveal

    The worldwide system used to coordinate travel bookings between airlines, travel agents, and price comparison websites is hopelessly insecure, according to researchers.

    The lack of modern security features, both in the design of the system itself and of the many sites and services that control access to it, makes it easy for an attacker to harvest personal information from bookings, steal flights by altering ticketing details, or earn millions of air miles by attaching new frequent-flyer numbers to pre-booked flights, according to German security firm SR Labs.

    Known as Global Distribution Systems (GDS), the technology dates back to the 1960s, when one of the first companies in the field, Sabre, was founded. To most travellers, the technology is most obviously associated with the six-character Passenger Name Record (PNR) frequently used to enable online check-in and ticket retrieval.

    The PNR system was also the route for many of the weaknesses demonstrated by Karsten Nohl and Nemanja Nikodijevic, the researchers who revealed the flaws at this year’s Chaos Communication Congress hacker convention in Hamburg.

    Legacy booking systems disclose travelers’ private information
    https://srlabs.de/bites/travel-hacking/

    ravel bookings worldwide are maintained in a handful of systems. The three largest Global Distributed Systems (GDS) Amadeus, Sabre, and Travelport administer more than 90% of flight reservations as well as numerous hotel, car, and other travel bookings.

    Today’s GDSs go back to the 70s and 80s, built around mainframe computers and leased lines. The systems have since been interwoven with web services, but still lack several web security best practices.

    Reply
  4. Tomi Engdahl says:

    U.S. evicts Russians for spying, imposes sanctions after election hacks
    http://www.reuters.com/article/us-usa-russia-cyber-idUSKBN14I1TY

    President Barack Obama on Thursday ordered the expulsion of 35 Russian suspected spies and imposed sanctions on two Russian intelligence agencies over their involvement in hacking U.S. political groups in the 2016 presidential election.

    “These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior,” Obama said in a statement from Hawaii, where he is on vacation.

    “All Americans should be alarmed by Russia’s actions,” he said.

    Barack Obama expels 35 Russian spies over election hacking row in ‘Cold War deja vu’
    http://www.telegraph.co.uk/news/2016/12/29/obama-expels-35-russian-diplomats-election-hacking-row/

    The United States has expelled 35 Russian spies in response to Kremlin-backed interference in the presidential election, further escalating tensions between Moscow and Washington.

    The diplomatic officials from the Russian embassy in Washington and its consulate in San Francisco were deemed “persona non grata” and told to leave the country within 72 hours.

    According to one US official there are a total of about 100 Russian spies in the US, so about one third of them are being ejected.

    The compound being closed in Maryland is a sprawling coastal estate purchased by the Soviet Union in the 1970s. It is listed as the summer retreat for the Russian embassy but has been used for espionage, according to US officials.

    “We are prepared for retaliatory steps the Russian government may take.”

    Reply
  5. Tomi Engdahl says:

    Sam Thielman / The Guardian:
    FBI-DHS joint report links two Russian intelligence hacking groups to hacks of Democratic Party organizations; experts say report is too little too late — Experts say report is too little too late and comes after several others from private sector detailing alleged exploits of groups Fancy Bear and Cozy Bear

    FBI and Homeland Security detail Russian hacking campaign in new report
    https://www.theguardian.com/technology/2016/dec/29/fbi-dhs-russian-hacking-report

    Experts say report is too little too late and comes after several others from private sector detailing alleged exploits of groups Fancy Bear and Cozy Bear

    Reply
  6. Tomi Engdahl says:

    Eric Schlosser / New Yorker:
    A look at the vulnerability of the nuclear command-and-control system, which uses a “launch on warning” strategy endangered by obsolete hardware and software — Harsh political rhetoric, combined with the vulnerability of the nuclear command-and-control system, has made the risk of global catastrophe greater than ever.

    World War Three, by Mistake
    http://www.newyorker.com/news/news-desk/world-war-three-by-mistake

    Harsh political rhetoric, combined with the vulnerability of the nuclear command-and-control system, has made the risk of global catastrophe greater than ever.

    Reply
  7. Tomi Engdahl says:

    Your Computer, Who Can You Trust?
    http://hackaday.com/2016/12/29/33c3-if-you-cant-trust-your-computer-who-can-you-trust/

    It’s a sign of the times: the first day of the 33rd Chaos Communications Congress (33C3) included two talks related to assuring that your own computer wasn’t being turned against you. The two talks are respectively practical and idealistic, realizable today and a work that’s still in the idea stage.

    Reply
  8. Tomi Engdahl says:

    Little Bobby Tables Just Registered a Company…
    http://hackaday.com/2016/12/29/if-bobby-tables-had-his-own-company/

    You will no doubt be familiar with the XKCD cartoon number 327, entitled “Exploits of a Mom”, but familiarly referred to as “[Bobby Tables]”. In it a teacher is ringing the mother of little [Robert’); DROP TABLE Students; –],

    Today we have a new twist on the Bobby Tables gag, for someone has registered a British company with the name “; DROP TABLE “COMPANIES”;– LTD“. Amusingly the people at Companies House have allowed the registration to proceed, so either they get the joke too or they are unaware of the nuances of a basic SQL exploit.

    Of course, the chances of such a simple and well-known exploit having any effect is minimal.

    Who is Bobby Tables?
    http://bobby-tables.com/

    Reply
  9. Tomi Engdahl says:

    Obama to Announce Retaliation Against Russia for Election Hacks
    http://www.securityweek.com/obama-announce-retaliation-against-russia-election-hacks

    The Obama administration is thought to be finalizing its response to Russian interference in the 2016 election. This could include any combination of economic sanctions, criminal indictments or a cyber response — but the intention is to get something in place that cannot easily be rolled back by President-elect Donald Trump. Details could be announced as early as this week.

    Government agencies have concluded that Russia, likely with the personal direction of Vladimir Putin, were behind the DNC hacks earlier this year. This is thought to be part of a wider ‘disinformation’ campaign designed to support Trump over Clinton. Similar disinformation concerns have been raised in Germany over next year’s German elections.

    Reply
  10. Tomi Engdahl says:

    FDA Releases Guidance for Medical Device Cybersecurity
    http://www.securityweek.com/fda-releases-guidance-medical-device-cybersecurity

    The U.S. Food and Drug Administration (FDA) has released guidance on the postmarket management of cybersecurity for medical devices, encouraging manufacturers to implement security controls that cover products throughout their entire life cycle.

    In 2014, the FDA released guidance for the premarket management of cybersecurity. The recommendations include limiting access to trusted users via various authentication methods, ensuring that only authorized firmware and software can be installed, and implementing features for cyber incident detection, response and recovery.

    The new guidance issued by the FDA focuses on managing cybersecurity risks after the devices have been deployed on a hospital’s network, a patient’s home network, or in a patient’s body.

    http://www.securityweek.com/fda-publishes-cybersecurity-guidance-medical-device-manufacturers

    Content of Premarket Submissions for Management of Cybersecurity in Medical Devices
    http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

    Postmarket Management of Cybersecurity in Medical Devices
    http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

    Reply
  11. Tomi Engdahl says:

    Chinese Traders Charged With Trading on Information Stolen from Hacked Law Firms
    http://www.securityweek.com/chinese-traders-charged-trading-information-stolen-hacked-law-firms

    The Securities and Exchange Commission (SEC) on Tuesday charged three Chinese men for trading on information stolen from two prominent New York-based law firms they hacked in 2014 and 2015.

    Reply
  12. Tomi Engdahl says:

    Rethink Your Cloud’s Biggest Blind Spot
    http://www.securityweek.com/rethink-your-clouds-biggest-blind-spot

    The cloud has become a powerfully disruptive technology, allowing businesses to be more agile, responsive, and available than ever before by transforming traditional compute architectures and best practices that have been in place for decades. Of course, every time we extend or alter the network perimeter(s) we increase the potential attack surface, and the risks associated with adopting something new often catch us unaware because threats can suddenly come at us from unexpected directions and via technologies with which we only have limited operational experiences.

    Increasingly the challenge from this distribution is that your intrinsically valuable corporate information no longer sits on isolated islands of data. Users, devices, and applications can access virtually any information or interact with virtually anyone, from any device or location, using an increasingly varied range of methods.

    So, while we are reengineering our society, it is time to radically rethink security.

    Of course, we are currently seeing the accelerated adoption of specialized security, such as virtualized, on-demand data center protection, web-application firewalls, security for mobile devices, thin clients, secure email gateways, advanced threat protection, and sandboxes. Some of these tools are deployed locally, some are being deployed on remote and mobile devices, and many are being deployed as services to protect critical cloud resources.

    Reply
  13. Tomi Engdahl says:

    5 Security Lessons Learned in 2016
    http://www.securityweek.com/5-security-lessons-learned-2016

    Time marches on, and so does the state of cyber security. In 2016 we’ve seen cybercriminals continue to innovate.

    1. Data is being monetized in multiple ways in the same attack.
    2. Cybercriminals don’t act with impunity.
    3. Flash remains a popular vulnerability.
    4. Incident response capabilities are advancing.
    5. IoT devices – a new vulnerability. The Mirai malware has launched some of the largest distributed denial of service (DDoS) attacks measured to date.

    Reply
  14. Tomi Engdahl says:

    Facebook Doesn’t Tell Users Everything It Really Knows About Them
    https://www.propublica.org/article/facebook-doesnt-tell-users-everything-it-really-knows-about-them

    The site shows users how Facebook categorizes them. It doesn’t reveal the data it is buying about their offline lives.

    Facebook’s site says it gets information about its users “from a few different sources.”

    What the page doesn’t say is that those sources include detailed dossiers obtained from commercial data brokers about users’ offline lives. Nor does Facebook show users any of the often remarkably detailed information it gets from those brokers.

    “They are not being honest,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well.”

    When asked this week about the lack of disclosure, Facebook responded that it doesn’t tell users about the third-party data because it’s widely available and was not collected by Facebook.

    Facebook Privacy: Social Network Buys Data From Third-Party Brokers To Fill In User Profiles
    http://www.ibtimes.com/facebook-privacy-social-network-buys-data-third-party-brokers-fill-user-profiles-2466651

    It comes as no surprise to any Facebook user that the social network gathers a considerable amount of information based on their actions and interests. But according to a report from ProPublica, the world’s largest social network knows far more about its users than just what they do online.

    What Facebook can’t glean from a user’s activity, it’s getting from third-party data brokers. ProPublica found the social network is purchasing additional information including personal income, where a person eats out and how many credit cards they keep.

    Reply
  15. Tomi Engdahl says:

    The U.S. Department of Homeland Security (DHS) and FBI have released an analysis of the allegedly Russian government-sponsored hacking groups
    The 13-page document
    https://www.documentcloud.org/documents/3248260-DHS-FBI-analysis-of-Russian-hackers.html#document/p2

    Reply
  16. Tomi Engdahl says:

    Barcodes stamped on breast implants and medical equipment
    Avoidable harm prevention for things like ‘surgery on the wrong part of the body’
    http://www.theregister.co.uk/2016/12/29/barcodes_stamped_on_breast_implants/

    The NHS is stamping barcodes on breast implants, replacement hips and surgical tools in a bid to improve patient safety.

    The technology is intended to eliminate avoidable harm in hospitals, including errors such as patients being administered the wrong drugs and surgery being performed on the wrong part of the body, said the Department of Health.

    The department recently created a national silicone breast implant database to ensure faulty products can be traced in the event of a product recall.

    Reply
  17. Tomi Engdahl says:

    SSL/TLS Protocol CVE-2016-2183 Information Disclosure Vulnerability
    http://www.securityfocus.com/bid/92630

    Class: Design Error
    CVE: CVE-2016-2183
    Published: Aug 24 2016 12:00AM
    Updated: Dec 30 2016 03:07AM

    Reply
  18. Tomi Engdahl says:

    A year in infosec: Bears, botnets, breaches … and elections
    History made
    http://www.theregister.co.uk/2016/12/26/security_year_in_review_2016/

    How often can we say that an IT blunder might have changed the course of world history? Hillary Clinton’s use of a private email server whilst serving as outgoing US President Barack Obama’s Secretary of State became a key element in the US presidential election this year.

    After a series of high-profile breaches in 2015 that involved criminal and state-sponsored attacks, the leaks continued well into 2016.

    In September, Yahoo! announced that data associated with 500 million user accounts had been stolen in one of the largest cybersecurity breaches ever, dating back to 2014

    Peace also attempted to flog off data on 167 million LinkedIn accounts and 360 million credentials from MySpace users through the dark web.

    By December, Yahoo! admitted that one billion user accounts had been compromised in an earlier attack, dating back to 2013.

    Verizon, which had agreed to buy Yahoo!, threatened to rescind its $4.8bn offer

    The EU’s long awaited General Data Protection Regulation (GDPR) passed this year. GDPR will introduce tougher breach disclosure rules and punitive fines for negligence that results in data breaches of up to four per cent of a business’s annual turnover.

    Ransomware is the new black

    Cybercrime continue to be a problem for businesses as well as consumers throughout the year. Hackers targeted banks connected to the global financial messaging service, SWIFT, in a series of high-profile attacks.

    Ransomware as a threat emerged three years ago or more but scams based on file encrypting malware really reached prime-time in 2016. Victims throughout the year included several hospitals worldwide (examples here, here and here) and San Francisco’s subway system. Victims are normally unable to access compromised data until a payment is made for a decryption key.

    Malware was able to infect IoT devices by taking advantage of default factory-installed passwords.

    Reply
  19. Tomi Engdahl says:

    IETF plants privacy test inside DNS
    ‘Stubby’ aims to protect your metadata from snoopers
    http://www.theregister.co.uk/2016/11/22/dns_boffins_offer_up_privacy_test/

    The Internet Engineering Task Force’s (IETF’s) years-long effort to protect Internet users has taken a small step forward, with one option for better Domain Name System (DNS) privacy reaching the test stage.

    “Stubby”, created by the getdns project team, lets users test encrypted DNS queries.

    The idea isn’t to flick the switch to encryption in one big hit, but rather, to provide a resolver that can accept connections and return responses over Transport Layer Security (TLS) at the user-side.

    The demonstrator’s only dependency is OpenSSL version 1.0.2 or better, so Stubby can authenticate hostnames.

    Reply
  20. Tomi Engdahl says:

    OSCE Confirms ‘Major’ Cyber Attack
    http://www.securityweek.com/osce-confirms-major-cyber-attack

    The Organization for Security and Co-operation in Europe, an international election and war monitor, said Wednesday it had become the latest global institution to suffer a “major” cyber attack.

    The Vienna-based OSCE has its origins in the Cold War but after 1991 it expanded and now has 57 member states including the United States, Russia and Ukraine.

    It currently has 700 monitors focused on the conflict in eastern Ukraine and is also active in observing elections and tracking media freedom.

    OSCE spokeswoman Mersiha Causevic Podzic told AFP in an email that it “became aware of a major information security incident” in early November.

    Western intelligence agency believes that Russian hackers group APT28 was behind the attack.

    yber attacks by criminals and governments are on the rise, with states and firms spending billions of dollars to defend and arm themselves.

    Reply
  21. Tomi Engdahl says:

    Serious PHP Issues Revealed by Flaws in PHPMailer, SwiftMailer
    http://www.securityweek.com/serious-php-issues-revealed-flaws-phpmailer-swiftmailer

    Experts have determined that the remote code execution vulnerabilities affecting the PHPMailer and SwiftMailer email-sending libraries are caused by PHP design flaws.

    Reply
  22. Tomi Engdahl says:

    Sundown Exploit Kit Starts Using Steganography
    http://www.securityweek.com/sundown-exploit-kit-starts-using-steganography

    A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.

    According to Trend Micro, GooNky has attempted to hide its malvertising traffic by appending malicious code to the end of image files. AdGholas has used a more sophisticated technique through the Astrum (Stegano) exploit kit.

    The attackers encoded a script in the alpha channel of an image.

    A similar technique has been observed in a Sundown update spotted by Trend Micro on December 27.

    In the attacks analyzed by the security firm, cybercriminals used PNG images to disguise various exploits, including ones targeting Internet Explorer (CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2016-4117).

    Reply
  23. Tomi Engdahl says:

    ProPublica:
    Facebook buys detailed information from commercial data brokers about users’ offline lives but does not disclose it since it is widely available

    Facebook Doesn’t Tell Users Everything It Really Knows About Them
    https://www.propublica.org/article/facebook-doesnt-tell-users-everything-it-really-knows-about-them

    The site shows users how Facebook categorizes them. It doesn’t reveal the data it is buying about their offline lives.

    Reply
  24. Tomi Engdahl says:

    Justin Baragona / Mediaite:
    Matt Drudge says the Drudge Report experienced a 90-minute DDoS attack last night and suggests with no evidence that the US government may have been behind it

    Drudge Report Experiences DDoS Attack, Suggests US Government Behind It
    http://www.mediaite.com/online/drudge-report-experiences-ddos-attack-suggests-us-government-behind-it/

    Earlier this evening, Matt Drudge, the reclusive founder of Drudge Report, took to Twitter to claim that the conservative news site experienced a huge distributed denial of service (DDoS) attack.

    Per Drudge, the attack lasted roughly 90 minutes

    According to the International Business Times, conservatives also claimed that the state-run Russian network RT was down for a while.

    Hacking has been all the rage in the news lately

    Reply
  25. Tomi Engdahl says:

    Bilderberg Website Hacked, Members Given Ultimatum to “Work for Humanity”
    “You won’t be safe anywhere near electricity anymore”
    http://news.softpedia.com/news/bilderberg-website-hacked-members-given-ultimatum-to-work-for-humanity-511424.shtml

    The official website of the Bilderberg Group was compromised today, with attackers posting a message warning that future hacks would be possible unless members start working for the benefit of humanity.

    The official website of the organization was hacked by the HackBack movement and Anonymous, who left a message explaining that all these influential members need to start working for the humanity and not for their own benefit.

    “Dear Bilderberg members, from now on, each one of you have 1 year (365 days) to truly work in favor of humans and not your private interests. Otherwise, we will find you and we will hack you,” the message reads.

    Reply
  26. Tomi Engdahl says:

    OSCE Confirms ‘Major’ Cyber Attack
    http://www.securityweek.com/osce-confirms-major-cyber-attack

    The Organization for Security and Co-operation in Europe, an international election and war monitor, said Wednesday it had become the latest global institution to suffer a “major” cyber attack.

    Reply
  27. Tomi Engdahl says:

    Hacker Claims Theft of Thousands of Passport Numbers from Russian Consulate
    http://motherboard.vice.com/read/hacker-claims-theft-of-thousands-of-passport-numbers-from-russian-consulate?trk_source=recommended

    A hacker claims to have stolen thousands of passport numbers and other pieces of personal information from the website of a Russian consular department.

    The hacker, who calls himself Kapustkiy, plans to publish around a thousand records out of the 30,000 or so he allegedly obtained. The apparent target was ambru.nl, the website for the Consular Department of the Embassy of the Russian Federation in the Netherlands.

    “I hacked them to let them understand a databreach,” Kapustkiy claimed in a Twitter direct message.

    Reply
  28. Tomi Engdahl says:

    College fires IT admin, loses access to Google email, successfully sues IT admin for $250,000
    Sacked techie claims school retaliated over race complaint
    https://www.theregister.co.uk/2017/01/18/school_fires_sues_it_admin/

    Shortly after the American College of Education (ACE) in Indiana fired IT administrator Triano Williams in April, 2016, it found that it no longer had any employees with admin access to the Google email service used by the school.

    In a lawsuit [PDF] filed against Williams in July, 2016, the school alleges that it asked Williams to return his work laptop, which was supposed to have the password saved.

    ACE claimed that its students could not access their Google-hosted ACE email accounts or their online coursework.

    The school appealed to Google, but Google at the time refused to help because the ACE administrator account had been linked to William’s personal email address.

    “By setting up the administrator account under a non-ACE work email address, Mr Williams violated ACE’s standard protocol with respect to administrator accounts,” the school’s complaint states. “ACE was unaware that Mr Williams’ administrator account was not linked to his work address until after his employment ended.”

    According to the school’s court filing, Williams, through his attorney, said he would help the school reinstate its Google administrator account, provided the school paid $200,000 to settle his dispute over the termination of his employment.

    That amount is less than half the estimated $500,000 in harm the school says it has suffered due to its inability to access its Google account, according to a letter from William’s attorney in Illinois, Calvita J Frederick.

    he was told he had to relocate to Indianapolis
    “His working remotely has always been a condition of his employment.”

    Frederick said the school has been subject to several discrimination claims over the past two years.

    Reply
  29. Tomi Engdahl says:

    Fired IT employee offered to unlock data — for $200,000
    http://www.indystar.com/story/news/2017/01/17/after-his-firing-employee-unlock-data-200000/96487962/

    Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed.

    The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college. The man said he’d be willing to help — if the college paid him $200,000.

    Welcome to the new frontier of tech concerns in a business world that has come to depend on the cloud.

    The college’s IT employees had been spread across the country, too, but the school decided early last year to give them the choice to move to Indianapolis or resign and take a severance deal. Other IT workers resigned, according to court records, leaving Triano Williams as the sole systems administrator when he was fired on April 1 after he refused to relocate from his home in suburban Chicago.

    School officials asked Google for help. Google, the college said, refused to grant access to anyone other than Williams, who was listed as the account’s sole administrator.

    When officials called Williams, he directed them to his lawyer.

    Reply
  30. Tomi Engdahl says:

    That critical “ImageTragick” bug Ars warned you about? It cost Facebook $40k
    Widely used image-processing app left site vulnerable to code-execution exploits.
    http://arstechnica.com/security/2017/01/that-critical-imagetragick-bug-ars-warned-you-about-it-cost-facebook-40k/

    Last May, Ars reported that a critical vulnerability in a widely used image-processing application left a huge number of websites open to attacks that allowed hackers to execute malicious code on the underlying servers. More than five months later, Facebook paid a $40,000 bounty after discovering it was among those at risk.

    On Tuesday, researcher Andrey Leonov, said he was able to exploit the vulnerability in the ImageMagick application by using a tunneling technique based on the domain name system that bypassed Facebook firewalls. The firewalls had successfully protected against his earlier exploit attempts. Large numbers of websites use ImageMagick to quickly resize images uploaded by users.

    Facebook’s ImageTragick story
    http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html

    Reply
  31. Tomi Engdahl says:

    Exploits gone wild: Hackers target critical image-processing bug
    Vulnerability in ImageMagick allows attackers to execute malicious code.
    http://arstechnica.com/security/2016/05/exploits-gone-wild-hackers-target-critical-image-processing-bug/

    Attackers have wasted no time targeting a critical vulnerability that could allow them to take complete control over websites running a widely used image-processing application, security researchers said.

    As Ars reported last week, a vulnerability in ImageMagick allows hackers to execute code of their choice on webservers that use the app to resize or crop user-uploaded images. Over the past few days, security researchers said, attackers have begun uploading booby-trapped images in an attempt to exploit the vulnerability, which is indexed as CVE-2016-3714. CloudFlare, a content delivery network that helps secure and optimize websites, has updated its Web application firewall to block exploits in an attempt to protect customers who have yet to patch the remote code-execution threat.

    “We began watching the exploitation of CVE-2016-3714 as soon as the WAF rule went live across our network,” CloudFlare researcher John Graham-Cumming wrote in a blog post published Monday. “The bad news is that this vulnerability is being actively used by hackers to attack websites.”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*